Malware Analysis Report

2024-10-23 16:16

Sample ID 240130-x2m2sacdhq
Target Market_Time_New_Conditions.exe
SHA256 428d51259ad927c58ea5abb9eca6e0dce4fee5d97e20f78abba194c8c4faadfd
Tags
netsupport persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

428d51259ad927c58ea5abb9eca6e0dce4fee5d97e20f78abba194c8c4faadfd

Threat Level: Known bad

The file Market_Time_New_Conditions.exe was found to be: Known bad.

Malicious Activity Summary

netsupport persistence rat

NetSupport

Drops file in Drivers directory

Sets service image path in registry

Executes dropped EXE

Registers COM server for autorun

Checks computer location settings

Loads dropped DLL

Blocklisted process makes network request

Modifies WinLogon

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 19:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 19:21

Reported

2024-01-30 19:23

Platform

win7-20231215-en

Max time kernel

118s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Market_Time_New_Conditions.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Market_Time_New_Conditions.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Market_Time_New_Conditions.exe

"C:\Users\Admin\AppData\Local\Temp\Market_Time_New_Conditions.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 niklomertie.shop udp
US 198.187.29.22:443 niklomertie.shop tcp

Files

memory/2144-0-0x0000000000EA0000-0x0000000000F44000-memory.dmp

memory/2144-1-0x0000000073FB0000-0x000000007469E000-memory.dmp

memory/2144-2-0x0000000004480000-0x00000000044C0000-memory.dmp

memory/2144-3-0x0000000000C70000-0x0000000000CE6000-memory.dmp

memory/2144-4-0x0000000073FB0000-0x000000007469E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 19:21

Reported

2024-01-30 19:23

Platform

win10v2004-20231215-en

Max time kernel

161s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Market_Time_New_Conditions.exe"

Signatures

NetSupport

rat netsupport

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\nskbfltr.sys C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe N/A
File created C:\Windows\system32\drivers\nskbfltr2.sys C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys" C:\Windows\Installer\MSI6D4A.tmp N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Market_Time_New_Conditions.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe N/A
N/A N/A C:\Windows\Installer\MSI6D4A.tmp N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32 C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32\ = "Client32Provider.dll" C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0" C:\Windows\Installer\MSI6D4A.tmp N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\loca[1].htm C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
File created C:\Windows\SysWOW64\pcimsg.dll C:\Windows\Installer\MSI6D4A.tmp N/A
File created C:\Windows\system32\client32provider.dll C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
File opened for modification C:\Windows\SysWOW64\pcimsg.dll C:\Windows\Installer\MSI6D4A.tmp N/A
File opened for modification C:\Windows\system32\client32provider.dll C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\gdihook5.INF C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nssres_125.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-process-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-profile-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\CryptPak.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\btn_down.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\x64\gdihook5.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\pcisys.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\WINSTALL.EXE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\NSM.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\msvcr100.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Control.kbd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\btn_up_grey.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nspscr.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-conio-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-rtlsupport-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\libcrypto-1_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\DeskDup.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-time-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-private-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32Provider.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\AudioCapture.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\Ixmqmccr_HW_U1.bin C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\remcmdstub.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\bar.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\disk2.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\keyboard2.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nsmres_250.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-runtime-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-string-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\PCIVDD.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\computer2.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nskbfltr2.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\btn_up.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\msvcp100.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\shfolder.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\logo.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nskbfltr.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nspscr.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\PCICHEK.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\NSM.LIC C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-heap-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-interlocked-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\StoreInvDll.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nspscr.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-sysinfo-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-file-l2-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\injlib.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\PCIinv.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\redbar.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicapi.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\_Data.lnk C:\Windows\Installer\MSI6D4A.tmp N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nssres.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-libraryloader-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\_Gedeelde gegevens.lnk C:\Windows\Installer\MSI6D4A.tmp N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\toastImageAndText.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\NSClient32UI.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nssres_300.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI4176.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5126.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5873.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4F5F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI53F8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5AF8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4E62.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4E92.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4F4E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI58D1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\setuperr.log C:\Windows\Installer\MSI6D4A.tmp N/A
File opened for modification C:\Windows\Installer\MSI53C6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI54D6.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI749F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI856B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5308.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI409A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4204.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI53E7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI54C5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5275.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5296.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e593500.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4B7D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4CB8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4D17.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5244.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI52C8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI53B5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI858B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5DA9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7B77.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3FCE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4224.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI51C4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5223.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5264.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI52B8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI42C1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7346.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4C59.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5234.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI53D7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5A1B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5A6B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6D4A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI74AF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e593500.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{FC61B946-B9CF-4AD3-9042-4FF8CFF0440A} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4B0F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5146.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\setupact.log C:\Windows\Installer\MSI6D4A.tmp N/A
File opened for modification C:\Windows\Installer\MSI5089.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI53C5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4D95.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI54F6.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{FC61B946-B9CF-4AD3-9042-4FF8CFF0440A}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{FC61B946-B9CF-4AD3-9042-4FF8CFF0440A}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e593504.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5286.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI52A7.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11 = "Power saver" C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\cscript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\cscript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15 = "Balanced" C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\cscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs C:\Windows\SysWOW64\cscript.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TELEPHONY\HANDOFFPRIORITIES\MEDIAMODES C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13 = "High performance" C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\cscript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs C:\Windows\SysWOW64\cscript.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\cscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\cscript.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\MiscStatus C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\0\win32\ = "C:\\Program Files (x86)\\NetSupport\\NetSupport Manager\\IcoViewer.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command C:\Windows\Installer\MSI6D4A.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\ = "IIconViewer" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\TypeLib\Version = "1.0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile\Shell C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer\ = "IconViewer Class" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ProgID C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\649B16CFFC9B3DA40924F48FFC0F44A0\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ = "IconViewer Class" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\NetSupport Manager\\pcinssui.exe\" /ShowVideo \"%L\"" C:\Windows\Installer\MSI6D4A.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32\ = "C:\\Program Files (x86)\\NetSupport\\NetSupport Manager\\IcoViewer.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer.1\CLSID\ = "{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Insertable\ C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer.1\CLSID\ = "{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\649B16CFFC9B3DA40924F48FFC0F44A0\SourceList\Media\1 = "DISK1;1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\649B16CFFC9B3DA40924F48FFC0F44A0\InstalledByMSI = "CommonFiles" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\TypeLib\ = "{C58E5039-E78C-441D-AA62-383AD6F38FC8}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Version\ = "1.0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\649B16CFFC9B3DA40924F48FFC0F44A0\CommonFiles = "NSM" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\ = "IcoViewer 1.0 Type Library" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ProgID\ = "IcoViewer.IconViewer.1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\649B16CFFC9B3DA40924F48FFC0F44A0 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer\CLSID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692} C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Programmable C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\0\win32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\FLAGS C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\NetSupport\\NetSupport Manager\\IcoViewer.dll, 101" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Version\ = "1.0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\FLAGS\ = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rpf\ = "NSReplayFile" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\TypeLib\Version = "1.0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\649B16CFFC9B3DA40924F48FFC0F44A0\PackageCode = "EC858AFDC98CBA84B9C222A071FA1749" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer.1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Version C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\649B16CFFC9B3DA40924F48FFC0F44A0\AuthorizedLUAApp = "1" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\VERSIONINDEPENDENTPROGID C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\649B16CFFC9B3DA40924F48FFC0F44A0 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\649B16CFFC9B3DA40924F48FFC0F44A0\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell C:\Windows\Installer\MSI6D4A.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Control\ C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show C:\Windows\Installer\MSI6D4A.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\ = "Client32Provider" C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\MiscStatus\1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\649B16CFFC9B3DA40924F48FFC0F44A0\SourceList\PackageName = "whopper.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\MiscStatus C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\649B16CFFC9B3DA40924F48FFC0F44A0\Language = "1043" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\TypeLib C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Programmable C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\ = "&Tonen met NetSupport School" C:\Windows\Installer\MSI6D4A.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ToolboxBitmap32 C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Market_Time_New_Conditions.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4484 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Market_Time_New_Conditions.exe C:\Windows\SysWOW64\msiexec.exe
PID 4484 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Market_Time_New_Conditions.exe C:\Windows\SysWOW64\msiexec.exe
PID 4484 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Market_Time_New_Conditions.exe C:\Windows\SysWOW64\msiexec.exe
PID 4804 wrote to memory of 2440 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4804 wrote to memory of 2440 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4804 wrote to memory of 2440 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4804 wrote to memory of 3340 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\cmd.exe
PID 4804 wrote to memory of 3340 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\cmd.exe
PID 3340 wrote to memory of 3760 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3340 wrote to memory of 3760 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3340 wrote to memory of 3760 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4804 wrote to memory of 4524 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI54F6.tmp
PID 4804 wrote to memory of 4524 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI54F6.tmp
PID 4804 wrote to memory of 4524 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI54F6.tmp
PID 4804 wrote to memory of 4440 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4804 wrote to memory of 4440 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4804 wrote to memory of 4440 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4804 wrote to memory of 1480 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI5AF8.tmp
PID 4804 wrote to memory of 1480 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI5AF8.tmp
PID 4804 wrote to memory of 1480 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI5AF8.tmp
PID 4804 wrote to memory of 64 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe
PID 4804 wrote to memory of 64 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe
PID 4804 wrote to memory of 64 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe
PID 4804 wrote to memory of 4120 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI6D4A.tmp
PID 4804 wrote to memory of 4120 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI6D4A.tmp
PID 4804 wrote to memory of 4120 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI6D4A.tmp
PID 4120 wrote to memory of 232 N/A C:\Windows\Installer\MSI6D4A.tmp C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe
PID 4120 wrote to memory of 232 N/A C:\Windows\Installer\MSI6D4A.tmp C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe
PID 4804 wrote to memory of 2220 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI74AF.tmp
PID 4804 wrote to memory of 2220 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI74AF.tmp
PID 4804 wrote to memory of 2220 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI74AF.tmp
PID 3616 wrote to memory of 1616 N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe
PID 3616 wrote to memory of 1616 N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe
PID 3616 wrote to memory of 1616 N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe
PID 4804 wrote to memory of 3888 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe
PID 4804 wrote to memory of 3888 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe
PID 4804 wrote to memory of 3888 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe
PID 3888 wrote to memory of 948 N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe
PID 3888 wrote to memory of 948 N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe
PID 3888 wrote to memory of 948 N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe
PID 1616 wrote to memory of 2632 N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe C:\Windows\SysWOW64\cscript.exe
PID 1616 wrote to memory of 2632 N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe C:\Windows\SysWOW64\cscript.exe
PID 1616 wrote to memory of 2632 N/A C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe C:\Windows\SysWOW64\cscript.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Market_Time_New_Conditions.exe

"C:\Users\Admin\AppData\Local\Temp\Market_Time_New_Conditions.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\ibcbwacl.fho\whopper.msi /q

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E2DE02605713CA7F0CE658F432EDB4A0

C:\Windows\system32\cmd.exe

cmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{FC61B946-B9CF-4AD3-9042-4FF8CFF0440A}\\nsm.lic"

C:\Windows\SysWOW64\attrib.exe

ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{FC61B946-B9CF-4AD3-9042-4FF8CFF0440A}\\nsm.lic"

C:\Windows\Installer\MSI54F6.tmp

"C:\Windows\Installer\MSI54F6.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EU

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 0D57307C35BFAB0B5DD3A5622F9915EA E Global\MSI0000

C:\Windows\Installer\MSI5AF8.tmp

"C:\Windows\Installer\MSI5AF8.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EU

C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe

"C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe"

C:\Windows\Installer\MSI6D4A.tmp

"C:\Windows\Installer\MSI6D4A.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EV"NetSupport School" /EF".\Log Files" /EF".\Bookmarks" /EF".\Tests" /EF".\Store" /EF".\inv" /EF".\Resources" /EF".\Help" /EF".\Image" /EF".\Sound" /EF".\Video" /EA /EX /EC /Q /V /Q /I *

C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe

winst64.exe /q /q /ex /i

C:\Windows\Installer\MSI74AF.tmp

"C:\Windows\Installer\MSI74AF.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EI

C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe

"C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" /* *

C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe

"C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" * /VistaUI

C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe

"C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe" /Q "C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32.ini"

C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe

"C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\SysWOW64\cscript.exe

"cscript.exe" C:\Windows\system32\Printing_Admin_Scripts\en-US\prnport.vbs -a -r NSM001 -h 127.0.0.1 -o raw -n 58128

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 niklomertie.shop udp
US 198.187.29.22:443 niklomertie.shop tcp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 22.29.187.198.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.1.231:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 231.1.26.104.in-addr.arpa udp
US 8.8.8.8:53 zmezzw.duckdns.org udp
GB 51.195.145.91:2533 zmezzw.duckdns.org tcp
US 8.8.8.8:53 91.145.195.51.in-addr.arpa udp
US 8.8.8.8:53 194.98.74.40.in-addr.arpa udp

Files

memory/4484-0-0x00000000001A0000-0x0000000000244000-memory.dmp

memory/4484-1-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/4484-2-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

memory/4484-3-0x0000000004CB0000-0x0000000004D26000-memory.dmp

memory/4484-4-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/4484-5-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ibcbwacl.fho\Client32.ini

MD5 f21c50aa6dc247c7b4284b61e76c525f
SHA1 873865fc3528f98713eb99f495beb90085a596e1
SHA256 587a341b24eab5e18ff78169d9ba5dc15181fc4390b801cd2c7f549440a4d24a
SHA512 6d49d33433d4971602b48140fd57d9fbd339fc1e1f352a3eb93e49f628018a0ad4f6c23c5e222e27decac07b1cb428beefe3004f218e525e058913d0e594e95e

C:\Users\Admin\AppData\Local\Temp\ibcbwacl.fho\NSM.lic

MD5 d2c2217861f5535686409d80a0867f6f
SHA1 f4d90bebfcf8f501e5b9f0427028f696c3a191c7
SHA256 af9c79cf3af6a7e969208da78dfcfac54d6f956545b46f434d0e447cff94807b
SHA512 656deac03f9d81792e3d78108fb7d6754ca4a21a30f0e8da72e71f64b0b015dfc299d5478a8cc27acb05a0ec7e01c2c1cfcc9eb40041e4fe0a790414e42b4a37

C:\Users\Admin\AppData\Local\Temp\ibcbwacl.fho\whopper.msi

MD5 fe67aa0ba045bf84861f1f6a65749ebd
SHA1 777a28dc06204438b797c0b8d924713350d5c87f
SHA256 016b1bb3c921add87c24d78449db3d4c0760512cd16cc80782bc7d2b6eefd143
SHA512 dc36b03f0418c41e3665c1b2707b2b0fa36d5854197767771a4513be7527e9b4853e101d830d6848f72066c4329b7fee828977ab78bc116186226c6622ae94b4

C:\Users\Admin\AppData\Local\Temp\ibcbwacl.fho\whopper.msi

MD5 0c74e5ae7fc61202d305f16e4e8433a1
SHA1 d07bdd8e2a41a1ef1899036c614bbc999d42d8ee
SHA256 f4153bb9e48f2b638e511b6d346cb1f83a8d5c3294a40dcb3f839aa729773294
SHA512 bbcc6dacbfe35dd143e35c21b3ba50c804f1f50a2bb0a78ef7818be01929bddd670bc1e13eb609c86a9db357be87908f24d2da68cf3036772f34160dae19d406

C:\Windows\Installer\MSI3FCE.tmp

MD5 0e6fda2b8425c9513c774cf29a1bc72d
SHA1 a79ffa24cb5956398ded44da24793a2067b85dd0
SHA256 e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9
SHA512 285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa

C:\Windows\Installer\MSI409A.tmp

MD5 d524b639a3a088155981b9b4efa55631
SHA1 39d8eea673c02c1522b110829b93d61310555b98
SHA256 03d91c8cd20b846625a092a3dae6a12369930c65d6216a455a00449ebb0dc289
SHA512 84f8ab54122f93a40da08fd83bca767ab49eb0f73c4ab274d9bda11dd09224134df011fa02e5a3abbafcc6fbef6a60673dd48feabdf829a1e22c85a2a759b7ac

C:\Users\Admin\AppData\Local\Temp\DLL_{FC61B946-B9CF-4AD3-9042-4FF8CFF0440A}.ini

MD5 ecebf33c351a8f487e1e5dbfcbeee352
SHA1 64c3f5dcc9bf09440b9f935c47fcdea4fa53740f
SHA256 6acc3f9012eddea3874404a805c3f0453593bc8d09b19ee44f55a00ce14827d9
SHA512 4ac1b79bc092bc1cbbfdb51ecd0937aad486ee34813c198003af31ee706b251704bf88ae7b9d92358c6d26af056b97b129b8a387c9b326cf393d3814b2645725

C:\Windows\Installer\MSI4176.tmp

MD5 ea15a2262abd2cb7c4d241a58ba92d51
SHA1 307b5da3ea460dc7f3bc3e8420acb526a9d51233
SHA256 30c9c51a46dd6a3405f73c3ebc96199e08299315990c0ed53c4fd72498aaf002
SHA512 c552acafb70a4561d049f8bda3a58d3858a5df7380a93a9bef47ff5a2c99c605f4f408fc6a4a147bbf7c0b2231475e9629609036f9d1c354890d6a4ce0833eb3

C:\Windows\Installer\MSI42C1.tmp

MD5 a1b7850763af9593b66ee459a081bddf
SHA1 6e45955fae2b2494902a1b55a3873e542f0f5ce4
SHA256 41b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af
SHA512 a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1

C:\Windows\Installer\MSI4CB8.tmp

MD5 2d16190938ed8fbe7a39edbd172e5374
SHA1 183a4f1c92a762e48d5b0171b6e002f51395352b
SHA256 1c0b33e7e648c877537e47051e799a4feda0c6ee200f0bedcf1e393e853f437c
SHA512 f75a792d9c8cda3f79b5addb7e80b598f576dd7bf895eae017a5605f727de15f0605a7bf1d1546bbbb1239cb4f68d3f65543a3ae1c62c5fb409eed9a5749d6ad

C:\Windows\Installer\MSI4D95.tmp

MD5 7d754a7f0d51626a1b139d555da4ae0e
SHA1 3bfdcebb18cd151c6b1b007fa546aec0c08b8cde
SHA256 02324ec9dbcfbf8a2a923b4f86a4108fd1a9c8e7f78f1b8ff9706a4edbc82f9f
SHA512 004cb932456335ed82fa2c5c6fb089d4398feaa16b8fd7189e3c6e5097b69c6e06dec2fe57c76c4314b6dc66533aef56ddf80fb28a9cc6cc3d35e52af9f0d033

C:\Windows\Installer\MSI4D95.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files (x86)\NetSupport\NetSupport Manager\WINSTALL.EXE

MD5 3dcc148a999c6fe570b61a0cb8635057
SHA1 cd6d084b0b696f6d4083ff0b81c8b64956c221e4
SHA256 55c901291f733771c04cf3eef0c831f7923652001d316ed58f3f620be706c5bc
SHA512 1bc406cdd72f5791f71e9f0dff380174f92c764a2323c1ba95fb38a5a5b01a85535c62d4a0f3f36a38839a524246fb27c86c8a92304a578492ea0a66ebe4d314

C:\Windows\Installer\MSI7346.tmp

MD5 c4ca339bc85aae8999e4b101556239dd
SHA1 d090fc385e0002e35db276960a360c67c4fc85cd
SHA256 4ab23609cdc64d10b97c9ccb285ed7100f55d54d983cd50762da25ecac4357f9
SHA512 9185ec32545fc838d7fef6c9e4dd222dd02114c661b0b344f16287d55e6571bfe7a4233a852acc579d07bcdbab18c5c034c465b1f4bb78535ed51c3499087fe0

C:\Config.Msi\e593503.rbs

MD5 fa710a744bd7b4505ff8e9ccc46a0bc3
SHA1 661dc100ad1b418e4da79eac331ce3e111dc7063
SHA256 7989b57d7fb600eb628eaa2f88fc80c7b392a2b29d2f3e15480ad8f3add37e96
SHA512 9f6dbbb2f59726d8ce5ecfaf20dd17b27c1bd2c755038665c341e47480b5560c87a39cf6e719253e9e2cf752edd7593185ed61b20aa7717abfed37df099989f5

memory/3888-441-0x0000000002C30000-0x0000000002DD3000-memory.dmp

memory/1616-446-0x00000000066E0000-0x0000000006804000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{FC61B946-B9CF-4AD3-9042-4FF8CFF0440A}\product.dat

MD5 ff7c0d2dbb9195083bbabaff482d5ed6
SHA1 5c2efbf855c376ce1b93e681c54a367a407495dc
SHA256 065d817596d710d5a06060241acc207b82b844530cc56ff842ff53d8ff92a075
SHA512 ea226b3a55fc59175136f104df497ebf5055624fb1c1c8073b249dfc5e1ed5818a6feee995aa82cf9ed050f1adc7a62994c90b1af03569dfe0d4551ee2bc70c9

memory/4484-465-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/3616-467-0x0000000002B40000-0x0000000003148000-memory.dmp

memory/1616-468-0x0000000004090000-0x0000000004698000-memory.dmp